AD-Attacks

Privilege Escalation in Active Directory

Privilege Escalation Techniques Cover

Comprehensive guide to Privilege Escalation techniques in Active Directory environments, including various methods attackers use to gain higher levels of access and permissions within a compromised network.

Kerberoasting
Kerberoasting illustration
Exploit service accounts with Service Principal Names (SPNs) to obtain and crack their password hashes.
Rubeus
Impacket's GetUserSPNs.py
PowerView
Learn more
AS-REP Roasting
AS-REP Roasting illustration
Exploit accounts with 'Do not require Kerberos preauthentication' enabled to obtain crackable password hashes.
Rubeus
Impacket's GetNPUsers.py
ASREPRoast
Learn more
DCSync Attack
DCSync Attack illustration
Abuse domain replication privileges to retrieve password hashes from Domain Controllers.
Mimikatz
Impacket's secretsdump.py
DSInternals
Learn more
Token Impersonation
Token Impersonation illustration
Steal and use access tokens to impersonate other users or processes with higher privileges.
Incognito
Mimikatz
TokenManipulation.ps1
Learn more
GPO Abuse
GPO Abuse illustration
Exploit misconfigured Group Policy Objects to escalate privileges across the domain.
PowerView
SharpGPOAbuse
Group Policy Management Console
Learn more
Constrained Delegation Abuse
Constrained Delegation Abuse illustration
Exploit misconfigured Kerberos constrained delegation to impersonate users and gain unauthorized access.
Rubeus
PowerView
ADExplorer
Learn more
Resource-Based Constrained Delegation
Resource-Based Constrained Delegation illustration
Abuse resource-based constrained delegation to escalate privileges by modifying computer objects.
Rubeus
PowerView
ADExplorer
Learn more
DnsAdmins Group Abuse
DnsAdmins Group Abuse illustration
Exploit membership in the DnsAdmins group to load a malicious DLL and gain SYSTEM privileges on a Domain Controller.
dnscmd
Custom malicious DLL
PowerShell
Learn more
ACL Abuse
ACL Abuse illustration
Exploit misconfigured Access Control Lists (ACLs) on AD objects to gain unauthorized permissions.
PowerView
BloodHound
ADExplorer
Learn more
LAPS Abuse
LAPS Abuse illustration
Exploit misconfigurations in Local Administrator Password Solution (LAPS) to obtain local admin passwords.
LAPSToolkit
PowerView
AdmPwd.PS
Learn more
MS Exchange Abuse
MS Exchange Abuse illustration
Exploit Exchange server privileges to gain Domain Admin rights or access to sensitive mailboxes.
PowerShell
MailSniper
Ruler
Learn more
Print Spooler Service Abuse
Print Spooler Service Abuse illustration
Exploit vulnerabilities in the Print Spooler service to escalate privileges on domain-joined machines.
PrintNightmare exploits
Mimikatz
PowerShell scripts
Learn more

Defending Against Privilege Escalation

While understanding privilege escalation techniques is crucial for security assessments, it's equally important to implement strong defensive measures. Here are some key strategies to protect your Active Directory environment against privilege escalation attempts:

  • Implement the principle of least privilege for user and service accounts
  • Regularly audit and monitor changes to critical Active Directory objects and ACLs
  • Use Protected Users security group for privileged accounts
  • Implement and maintain a robust patch management process
  • Utilize Advanced Threat Analytics (ATA) or Azure Advanced Threat Protection (ATP) for anomaly detection
  • Implement strong password policies and enforce multi-factor authentication
  • Regularly rotate KRBTGT account password and other critical service account passwords
  • Monitor and alert on suspicious changes to Group Policy Objects
  • Implement Just-In-Time (JIT) and Just-Enough-Administration (JEA) practices
  • Use Privileged Access Workstations (PAWs) for administrative tasks
  • Implement and maintain an incident response plan for privilege escalation scenarios
  • Regularly conduct security assessments and penetration tests to identify potential vulnerabilities
  • Monitor for unauthorized changes to Service Principal Names (SPNs) and Kerberos delegations
  • Implement strict controls on domain controller access and management
  • Use Microsoft Local Administrator Password Solution (LAPS) to manage local admin passwords
  • Regularly review and clean up dormant accounts and stale objects in Active Directory
  • Implement network segmentation to limit the impact of compromised credentials
  • Use Windows Defender Credential Guard to protect against credential theft and reuse
  • Implement and maintain a comprehensive security information and event management (SIEM) solution
  • Conduct regular security awareness training for all users, especially those with elevated privileges

For more detailed information on defending against these techniques and implementing a robust Active Directory security strategy, visit our Defensive Techniques page.